Register Panorama with the ZTP Service for New Deployments
Register the Panorama™ management server with the ZTP
service for new ZTP deployments.
After you install the ZTP plugin on the Panorama™
management server, you must register the Panorama with the ZTP service
to enable the ZTP service to associate firewalls with the Panorama.
As part of the registration process for ZTP new deployment, automatically
generate the device group and template configurations required to
connect your ZTP firewalls to the ZTP service. After the device
group and template are automatically generated, you must add your
ZTP firewalls to the device group and template so they can connect
to the ZTP service after they first connect to Panorama.
- Log in to the Palo Alto Networks Customer Support Portal (CSP).
- Associate your Panorama with the ZTP Service on the Palo Alto Networks Customer Support Portal (CSP).The ZTP Service supports associating up to two Panoramas only if they are in a high availability (HA) configuration. If Panorama is not in an HA configuration, only a single Panorama can be associated.
- Select andAssociate Panorama(s).
- Select the serial number of the Panorama managing your ZTP firewalls.
- (HA only) Select the serial number of the Panorama HA peer.
- ClickOK.
- Select and edit theGeneralZTP settings.
- Register Panorama with the ZTP service.
- Enable ZTP Service.
- Enter thePanorama FQDN or IP Address.This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and that the CSP pushes to the ZTP firewalls.(All ZTP-enabled managed firewalls) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
- (HA only) Enter thePeer FQDN or IP Address.This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is installed and that the CSP pushes to the ZTP firewalls in case of failover.(All ZTP-enabled managed firewalls) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
- ClickOKto save your configuration changes.
- Create the default device group and template to automatically generate the required configuration to connect your ZTP firewalls to Panorama.Adding the device group and template automatically generates a new device group and template that contain the default configuration to connect the Panorama and the ZTP firewalls.
- Add Device Group and Template.
- Enter theDevice Groupname.
- Enter theTemplatename.
- ClickOKto save your configuration changes.
- Add your ZTP firewalls to the device group and template specified in the previous step.
- Select and select the device group that was automatically created.
- Select the ZTPDevices.
- ClickOKto save your configuration changes.
- Select andAdd Stack.
- In theTemplatessection,Addthe template that was automatically generated.
- Select the ZTPDevices.
- ClickOKto save your configuration changes.
- Verify that the required device group and template configurations generated successfully.
- Select and select theTemplateyou created in the previous step.
- Verify thatethernet1/1is configured with an IP Address, Virtual Router, and Security Zone.
- Select and select theTemplateyou created in the previous step.
- Verify that theloopback.900interface is successfully created.
- Select and select theDevice Groupyou created in the previous step.
- Verify thatrule1is successfully created.
- Select and select theDevice Groupyou created in the previous step.
- Verify thatztp-natis successfully created.
- Modify your device groups and templates as needed.Create and configure new or existing device groups and templates to complete your deployment.When considering your device group hierarchy and template priority in your template stack, ensure that the device group and template containing the required ZTP configuration that allows the ZTP firewall and Panorama to communicate have priority such that the configuration is not overridden in the event of conflicting configurations.Do not modify the IP address, virtual router, and Security zone of theethernet1/1interface, theloopback.900loopback interface, therule1Security policy rule, orztp-natNAT policy rule. These configurations are required to connect your ZTP firewall to Panorama.
- SelectCommitandCommit to Panorama
- Sync to ZTP Serviceand verify that the Panorama Sync Status displays asIn Sync.
